2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Complete Application security for DevSecOps
Crest certificated penetration testing.
3. “A vulnerability is a weakness
which can be exploited by a
threat actor.”
3
• Given one or more
classifications
• CVE, OWASP, CWE
• Scored
• CVSS 3.1
What are Vulnerabilities
4. What is Risk
“expose (someone or something
valued) to danger, harm, or loss.”
In vulnerability terms :
“the probability of a vulnerability
being exploited and the impact that
has on the organization”
4
11. Is this a view of your vulnerability landscape……
11
12. Or 10,343 vulns on your radar (56.4%)
Why overwhelmed? 12
18,352 vulns
published
2,709 Critical (14.8%) 7,634 High (41.6%)
In 2020 there were
Of which
13. 13
• Too many vulnerabilities
needing immediate attention
• Never able to meet KPI’s
• More new ones than
remediated ones
• Sense of drowning
How do you go from this
14. 14
• Getting a handle on your VM
program
• Effectively managing the real
risks
• Feel like winning the race
To this
15. • Old way
• Focus on CVSS score
• 1st critical
• 2nd high
• 3rd medium
• 4th anything else
• Usually results in 1,000’s vulns
15
• New Way
• Use risk scoring
• Classify assets
• Criticality or importance
• Exposure
• Add in exploit prediction for
early warning
• Typically, 5 – 10% of the total
vulns
Change your mindset
16. • CVSSv3 – 12,149 findings (C
1,730; H:10,419)
• Risk based – 6,825 across all
CVSS scores (C 155; H 1,284)
Customer example with 77,700+ findings
14%
86%
CVSS Based VM
Critical
High
2%
19%
50%
14%
15%
Risk Based
Critical
high
Medium
Low
CVSSv2
17. Patching Approaches
17
Reactive Active Proactive
Patch all Critical/High
vulns; as many others as
possible
Patch vulns that are likely to be /
have been exploited in the wild
Patch all vulns by
CVSS
Patch all vulns in
the order received
Patch vulns that have PoC exploits /
have been exploited in the wild
https://www.cyr3con.ai/
18. Moving to a proactive remediation program
• You focus on risk to the business not a CVSS score – you ask these
questions:
• What is the current risk of the vulnerability?
• Has it been or will it be weaponized?
• Is it present on a business impacting asset
• Is that business impacting asset exposed?
• Patch it.
18
19. 19
• A customer
• Focuses on likelihood of > 30.0
(out of 38.46, or >78% chance of
exploit)
• Gives a total number of in scope
vulns : 6,825 (out of 77,700)
• Critical 155
• High 1,284
• Medium 3,396
• Low 955
• CVSSv2 1,035
Proactive remediation in
action
2%
19%
50%
14%
15%
Proactive remediation
Critical
high
Medium
Low
CVSSv2
20. To boldly go further
• Add threat intelligence activity to further tune the number of in scope
vulns
• Example: is a vulnerability with an exploit that has had no activity for
4 years as urgent as one that was exploited 4 days ago?
20
21. 21
• With this change, the customer
has 169 total findings in
remediation scope
• Critical 15
• High 66
• Medium 67
• Non V3 21
• Out of 77,700 (0.3%)
We can go further
9%
39%
40%
12%
Using TI as part of the equation
Critical
High
medium
V2 only
23. Vulnerability ≠ Risk
23
• Remediate risks not vulnerabilities
• Focusing on top XX% of your vulns
• Build a tiered remediation plan
• Use Vuln risk
• Business impact
• Exposure
• Threat intelligence activity
• Change your mindset from the old
to the new
24. 24
Use the capabilities of Farsight to
• Identify and group assets
by exposure and criticality
• Use threat intelligence to
enrich each vulnerabilities
threat context
• Reduce the number of in
scope vulnerabilities
Putting it into practice
25. Want to know more
• Check out how RBVM could be a game changer for your VM program
• https://outpost24.com/products/network-security/risk-based-vulnerability-
management
• https://marketing.outpost24.com/mkg/whitepaper/reduce-time-to-
remediation-with-predictive-risk-based-vulnerability-management
• Explore our Farsight blog content on high risk CVEs
25